Auditing for Cybersecurity Risk

Around the globe, cybercrime cost society over $3 trillion in 2018, and this cost is forecast to rise to $6 trillion by 2021 (“Cybercrime Damages $6 Trillion by 2020,” Cybersecurity Ventures, Dec. 7, 2018, http://bit.ly/2K6cC7k); that translates to a 43% year-over-year increase for each of the next three years. At $6 trillion, cybercrime will represent approximately 7% of worldwide GDP and will be the third largest component of the world economy, just behind the GDPs of the United States and China. U.S. ransomware costs have grown from $25 million in 2014 to over $8 billion in 2018 and are showing no signs of stopping (“Global Ransomware Damage Costs Predicted To Exceed $8 Billion In 2018,” Cybersecurity Ventures, June 28, 2018, http://bit.ly/30Oc3VE). Ginni Rommety, IBM’s chairperson, CEO, and president, has stated that “cybercrime represents the greatest threat to every company in the world” (Steve Morgan, “IBM’s CEO On Hackers: ‘Cyber Crime Is The Greatest Threat To Every Company In The World,’” Forbes.com, Nov. 24, 2015, http://bit.ly/2Ww6M5V).

Yet society continues to ignore the issue or pass the buck, saying that cybercrime is a complex technology problem. In reality, cybersecurity is everyone’s responsibility, as 89% of all cyberattacks come from inside organizations via malfeasance or nonfeasance (“The Primary Factors Motivating Insider Threats,” ObserveIT, May 21, 2018, http://bit.ly/2K7RvSg).

The Scope of the Problem

According to a GAO audit released in September 2018, government agencies, including the federal government, are failing to adequately address cybersecurity risks, jeopardizing not only the operations of federal government and state governments, but also the personal information of U.S. citizens (Urgent Actions Needed to Address Cybersecurity Challenges Facing the Nation, http://bit.ly/30uErMq). The report notes that, of the more than 3,000 recommendations the agency has issued since 2010, 1,000 have not been implemented as of August 2018. In addition, 31 of the 35 highest priority recommendations have not been addressed, including the following:

Develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace

Improve implementation of government-wide cybersecurity initiatives

Strengthen the federal government’s role in protecting the cybersecurity of critical infrastructure (e.g., the electric grid and telecommunications networks).

No venture intends to fail, so why are companies failing so badly? Consider the following three examples:

Equifax.

Equifax suffered a major breach in March 2017, but the company did not discover it until July 2017. It neglected to report the breach to the public and did so only after an SEC insider trading investigation into several executives uncovered that the executives knew about the breach. It was finally reported to the public in September 2017, yet Equifax was ill prepared to determine the actual number of breached individuals and failed to provide accurate information to the third-party remediation firm. The U.S. Senate report on the breach (http://bit.ly/2JAhceA) castigated Equifax for—

not following its own patch policy (8,500 known vulnerabilities, including 1,000 critical vulnerabilities, were identified by a 2015 audit. Equifax failed to do any follow-up audits or patch its systems. Equifax’s patching policy mandated the company’s IT department patch critical vulnerabilities within 48 hours.)

deliberately choosing to save personally identifiable information (PII), including usernames and passwords, in unencrypted file shares accessible by Equifax employees, and not having basic tools in place to detect and identify changes to files.

On May 22, 2019, Moody’s downgraded Equifax’s rating to “negative,” saying, “Higher cybersecurity costs will continue to hurt the company’s profit and free cash flow for the forseeable future.” While this is the first downgrade as the direct result of a cyberattack, it will not be the last.

Starwood.

Starwood suffered a significant data breach of approximately 500 million customers’ information. Included in the theft were over 327 million records with PII and over 5 million unencrypted passport numbers. The breach dated back to 2014, but was not detected until September 2018. For more than 1,300 days, Starwood data integrity had been compromised and no one, including Marriot, which acquired Starwood in November 2015, knew about the breach. Of note, the FBI Electronic Crimes division estimates that for every 100 days between a breach and the discovery of the breach, the cost of the breach doubles. This suggests that the ultimate cost of the Starwood breach will be 8,192 times the “original” cost had it been discovered immediately. A comprehensive security assessment at any time over the 1,300-day period would have found the breach.

Citrix.

On April 29, 2019, Citrix sent a letter to the attorney general of California confirming that a breach had occurred on October 13, 2018, 196 days earlier. In the letter, Citrix confirmed that it was advised of the breach by the FBI on March 9, but waited seven additional weeks to inform the public (http://bit.ly/2Erqbus). It also advised the public to utilize monitoring services from Equifax.

In none of the cases above were technology and tools the root causes of the severity of the attack. All too frequently, the cause of a breach lies in the actions of human beings.

What Are the Compelling Issues?

Lack of business focus.

When a cyber-crime event occurs, the information security (IS) team or information technology (IT) team immediately begins attacking the problem with all of its resources. Too often, however, these efforts remain siloed from the rest of the business. At the same time, business units are experiencing critical systems failures and “pinging” the IT and IS teams to find out what is happening, and executives are dealing with the public reaction to the incident and its potential market implications. This only adds to the chaos, exacerbating the cost of the breach and significantly increasing the likelihood that the business will fail.

Auditors are tasked with documenting and categorizing risk; if they do not know where the critical data reside, how can they effectively measure and report on the client’s risk?

Inadequate resourcing and training.

Companies too often view incident response as a sunk cost that has no benefit to the bottom line. Executives express concern that incident response costs are taking money, time, and people away from driving revenue. Moreover, when organizations conduct cybersecurity training, the focus is usually on the IT and IS teams, as opposed to the entire business. Even when companies do company-wide training, the message often does not stick. As a result, too many companies inadequately prepare themselves for an attack that, sooner or later, will occur.

Inadequate understanding of the risks.

How many organizations really understand the level of cybersecurity risk? How often do companies perform a cybersecurity framework risk assessment? When speaking to risk executives, the most frequent response to “What keeps you up at night?” is “I have no idea where my most critical data reside.” Auditors are tasked with documenting and categorizing risk; if they do not know where the critical data reside, how can they effectively measure and report on the client’s risk, especially in the case of small and medium-sized businesses?

In 2016, a clothing manufacturer contracted for a social engineering pen test at a secure site, accessible only via card-key locked doors. The testing team successfully penetrated the most secure systems in the company, including its mainframe, in less than two hours without using a single technology tool. In another example, a large Wall Street financial services company recently discussed how it repeatedly tests employee adherence to corporate email standards. One key policy is that employees never open e-mail attachments from an unknown source; during its last test, however, 65% of employees opened the attachments on the test phishing e-mail.

Inadequate monitoring.

Unified training as to why cybersecurity tools provide critical support, which parts of the data infrastructure represent the greatest risk to the business, and how to mitigate those risks, is sorely lacking at many companies. There is a fundamental lack of risk analysis and assessment. Consider the examples above: Equifax, Starwood, and Citrix all possessed and used best-in-class, comprehensive security information and event management (SIEM) monitoring tools. Yet in each case, the tools were being directed at the wrong areas. Starwood’s breach was not noticed for over 1,300 days. Equifax’s monitoring was so bad that when Mandiant came in after the breach, it was given inaccurate information. The Citrix incident is still so fresh that it will be several months before observers know what happened. Consider also MyHeritage, which only found out about a breach of 93 million customer records when a university researcher sent a file he found on the dark web, entitled “MyHeritage files”, to the MyHeritage chief information security officer (CISO) asking, “Is this yours?”

Lack of an incident response plan (IRP).

This is primarily a problem in small and medium-sized companies. A company’s size does not obviate its risk, however; in the United States, FEMA reports that only 70% of cyberattacks are aimed at small and medium-sized companies, covering only 50% of the business landscape. According to FEMA and the National Cyber Security Alliance, as much as 60% of small and medium-sized companies that are attacked go out of business after six months. In the United States in 2018, there were approximately 217,000 businesses between $10 and $500 million of annual revenue; that means more than 65,000 businesses can be expected to fail due to economic fallout from a cyberattack. Any time a business fails, there are ripple effects. For example, insurers have to pay out on claims, service companies lose clients, and real estate companies lose rental income.

Lack of updating and testing of the IRP.

Once organizations have an IRP, they tend to check off the compliance box, put the plan on a shelf, and don’t bother looking at it again until an incident occurs. This leaves them with IRPs that do not reflect the current business environment, responsibilities, regulatory requirements, or staff. Too often, companies end up with multiple points of failure within their plans; by not testing their plans on a regular basis, organizations have no way to validate their efficacy or remediate their weaknesses. Some businesses rely on cyberinsurance to mitigate the risk, but most cyberinsurance policies for small and medium-sized companies have a $250,000 coverage limit, while the median cost to a small company (25 employees or less) to recover from a cyberattack is $690,000. The median cost for a 100-employee company is $1.1 million, and the costs rise geometrically from there.

The human factor underpins so much of the risk that enables cyberattacks and allows them to succeed, and it does so on both sides.

Lack of third-party support.

The chief information/chief security officer of a large New York–based credit union once shared his nightmare experience with the author, describing the helpless panic he felt in negotiating a deal with a world-class response vendor for the first 72 hours after a major data breach. He talked about his lack of leverage in negotiating anything with the third party, all while his credit union was front-page news. It was the worst 72 hours of his career.

The reason for third-party support is to get an unbiased view of the problem. The biggest challenge an organization has during an incident is that too many staff members operate under assumptions because they know the business and take logical shortcuts. Assumptions almost never match up to the reality, however, exacerbating the impact of the incident. The third party does not know the business and therefore must follow the documentation and the defined processes.

Lack of audit involvement.

Auditing is a key component in risk assessment and prevention. Without an independent set of eyes looking at the processes, policies, and governance issues, how can an organization ever have a clear picture of the risk? How can auditors ever certify the overall business health of the client—a critical part of 10-Ks and annual reports—without that understanding?

If this were primarily a technology problem, the big financial service firms and technology firms would never be hit, but they are. If this were only a technology problem, cybercrime would not be growing as fast as it is. The human factor underpins so much of the risk that enables cyberattacks and allows them to succeed, and it does so on both sides. Both the breachers and the company insiders whose mistakes enable successful breaches are human. There is an affirmative obligation for everyone responsible for cybersecurity (i.e., everyone) to recognize that ignoring the problem does not solve anything.

Solutions

Companies must learn to live with cyberattacks as a normal part of daily business. That said, they can significantly reduce the impact of these attacks and protect the digital assets that have more value to businesses than cash in the bank.

Focus on the business.

Incident response is a vital requirement for corporate health. It is a function that should report to the CEO or the board and be treated as a primary fiduciary responsibility by the board and executive team. Cybersecurity should be viewed as a business issue, not a technology issue, and every part of the business should be on the same page. Auditors need to call this out.

Understand the risks.

Auditors should ask clients, “Where is your most critical data?” If management is not able to answer that question simply, that’s a problem. In addition, auditors should ask about the IRP, password controls, regulatory impacts, and cybersecurity framework assessments such as National Institute of Standards and Technology (NIST) SP 800-53 or NIST SP 800-171. Auditors should understand the entire governance framework in use and assist by bringing in the right third-party resources to do the work.

Audit to ensure adequate resourcing.

An incident response team, when properly constructed, serves the needs of the business. To do that, the team must have stakeholders and representatives from all parts of the business. In addition, there should never be a single point of failure in any aspect of incident response. The only way to get organizations to understand the impact of these risks is to provide training.

Update understanding of the risks.

Assess the risk of the client’s environment on a regular basis. Identify the risks and look closely at which risks are most critical. An easy decision is to get rid of passwords; as currently constructed, password controls are a failure. Bill Burr, a manager at the NIST who wrote the password primer in 2003 that recommended many of the rules now in use, concedes that he was wrong and that the current paradigm actually increases risk. Instead, some form of multifactor authentication should be mandatory, such as a gold-chip ID card (e.g., PIV, PIVI, or RapidGate) tied to a registered device, such as the user’s cellphone.

Patch security flaws in a timely fashion.

Yes, there is much regression testing that needs to be done, and one patch can sometimes break production applications. But consider that the NonPetya/WannaCry(pt) day-zero patch was released in March 2017, and companies waited between 3 and 18 months to patch for it, at a cost of over $10 billion worldwide. The more than $348 million lost at Reckitt-Benckiser alone is far greater than the cost of a short-term production failure.

Implement more active and effective monitoring.

Once an organization understands the risks, it can effectively deploy the tools to better monitor risk areas. Furthermore, best practices dictate that an organization should have a predefined plan for periodic security framework assessments. This means using the best third-party tools available to do a deep scan of the entire enterprise. Whether done annually, biannually, quarterly, or continuously, know the timeframes. With a cross-industry average of approximately 220 days between a breach and its discovery, make an informed decision on how long the company can afford to leave an incident undiscovered.

There should never be a single point of failure in any aspect of incident response.

Audit the IRP.

If one does not exist, raise it as an audit exception. Ensure that the IRP is fully cross-functional, with multiple resources from each of the following:

The executive suite

HR

Legal/compliance/audit

Business side

Customer service

IT and IS

Service desk

Security incident response team (SIRT)

Marketing and communications

Make sure to include links to shareholders, the board, and investors. Empower the plan to get in front of bad news, as opposed to responding to the flurry of media requests. A key goal of the IRP is to make sure all parts of the organization are speaking with a single voice. Do not devolve into a blame game; work the problem instead.

Update and test the IRP regularly.

Businesses are not static, and the IRP should always reflect the business. Build in the appropriate collaboration tools to support updates to the plan at least once a year. When testing the plan, try to make it fail—far more can be learned from plan failures than from a smooth, no-issue test. The goal is not to assign blame; the goal is to find any embedded weaknesses and remediate them quickly. When the real event occurs, a tested and updated plan will always assist in recovering faster and at a far lower cost than otherwise.

Perform a physical audit.

The number of password violations in any organization is staggering. Flag them.

Obtain proper third-party support.

Establish a retainer agreement with one or more forensic or incident response consultants. Having an independent, objective view is a critical element in developing a complete picture of the incident. Work with the third-party vendor to conduct an annual security audit.

Cybersecurity must be part of the fabric of any business, and auditing can facilitate this. Ultimately, effective cybersecurity is about taking fiduciary responsibility.

Steven Wertheim is president of SonMax Consultants Inc., Marlboro, N.J.

About The CPA Journal

The CPA Journal is a publication of the New York State Society of CPAs, and is internationally recognized as an outstanding, technical-refereed publication for accounting practitioners, educators, and other financial professionals all over the globe. Edited by CPAs for CPAs, it aims to provide accounting and other financial professionals with the information and analysis they need to succeed in today’s business environment.